Linux ELF not recognized

[forensenellanebbia]

Description

Two ELF binaries are not recognized by capa.
It seems similar to the closed issue: Linux ELF Not Recognised #867:

remnux@remnux:/tmp/malware$ capa 64b9584e5ca7d5c4980bd72e63718b634a8912d4dc123de940db36dd111931ae 
loading : 100%|██████████████████████████████████████████████████████████████████████████| 661/661 [00:00<00:00, 1486.85 rules/s]
ERROR:capa:--------------------------------------------------------------------------------
ERROR:capa: Input file does not appear to target a supported OS.
ERROR:capa: 
ERROR:capa: capa currently only supports analyzing executables for some operating systems (including Windows and Linux).
ERROR:capa:--------------------------------------------------------------------------------
remnux@remnux:/tmp/malware$ file 64b9584e5ca7d5c4980bd72e63718b634a8912d4dc123de940db36dd111931ae 
64b9584e5ca7d5c4980bd72e63718b634a8912d4dc123de940db36dd111931ae: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=8394e29f3afbf71d6811a2d8920c8ffa963138ba, for GNU/Linux 3.2.0, stripped
remnux@remnux:/tmp/malware$ capa f8a451e0779f556a804bcb27ab533ad1ed885b4c4b28ce02b02d84cfb4abfca4 
loading : 100%|██████████████████████████████████████████████████████████████████████████| 661/661 [00:00<00:00, 1555.74 rules/s]
ERROR:capa:--------------------------------------------------------------------------------
ERROR:capa: Input file does not appear to target a supported OS.
ERROR:capa: 
ERROR:capa: capa currently only supports analyzing executables for some operating systems (including Windows and Linux).
ERROR:capa:--------------------------------------------------------------------------------
remnux@remnux:/tmp/malware$ file f8a451e0779f556a804bcb27ab533ad1ed885b4c4b28ce02b02d84cfb4abfca4 
f8a451e0779f556a804bcb27ab533ad1ed885b4c4b28ce02b02d84cfb4abfca4: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped

Steps to Reproduce

Samples on VT:

• 64b9584e5ca7d5c4980bd72e63718b634a8912d4dc123de940db36dd111931ae
• f8a451e0779f556a804bcb27ab533ad1ed885b4c4b28ce02b02d84cfb4abfca4

Versions

capa v3.2.0-0-gd9d72ad (standalone)
OS: Ubuntu 20.04.1 LTS

[williballenthin]

64b9584e5ca7d5c4980bd72e63718b634a8912d4dc123de940db36dd111931ae has .note.ABI-tag=OS: Linux, ABI: 3.2.0 which we should be able to detect.

[williballenthin]

❯ python scripts/detect-elf-os.py ~/Downloads/64b9584e5ca7d5c4980bd72e63718b634a8912d4dc123de940db36dd111931ae -d
DEBUG:capa.features.extractors.elf:ei_class: 0x02 ei_data: 0x01
DEBUG:capa.features.extractors.elf:e_phoff: 0x40 e_phentsize: 0x38 e_phnum: 8
DEBUG:capa.features.extractors.elf:ei_osabi: 0x00 (unknown)
DEBUG:capa.features.extractors.elf:p_type: 0x0001
DEBUG:capa.features.extractors.elf:p_type: 0x0001
DEBUG:capa.features.extractors.elf:p_type: 0x0001
DEBUG:capa.features.extractors.elf:p_type: 0x0001
DEBUG:capa.features.extractors.elf:p_type: 0x0004
DEBUG:capa.features.extractors.elf:p_offset: 0x200 p_filesz: 0x0044
DEBUG:capa.features.extractors.elf:namesz: 0x04 descsz: 0x14 type: 0x0003
DEBUG:capa.features.extractors.elf:name: GNU
DEBUG:capa.features.extractors.elf:p_type: 0x0007
DEBUG:capa.features.extractors.elf:p_type: 0x6474e551
DEBUG:capa.features.extractors.elf:p_type: 0x6474e552
DEBUG:capa.features.extractors.elf:sh_offset: 0x200 sh_size: 0x0024
DEBUG:capa.features.extractors.elf:namesz: 0x04 descsz: 0x14 type: 0x0003
DEBUG:capa.features.extractors.elf:name: GNU
DEBUG:capa.features.extractors.elf:sh_offset: 0x224 sh_size: 0x0020
DEBUG:capa.features.extractors.elf:namesz: 0x04 descsz: 0x10 type: 0x0001
DEBUG:capa.features.extractors.elf:name: GNU
DEBUG:capa.features.extractors.elf:sh_offset: 0x3ddde0 sh_size: 0x1ef4
DEBUG:capa.features.extractors.elf:namesz: 0x08 descsz: 0x52 type: 0x0003
DEBUG:capa.features.extractors.elf:name: stapsdt
unknown

[williballenthin]

              n_name = GNU
                   Extensions used by the GNU tool chain.

                   NT_GNU_ABI_TAG (== 0x1)
                          Operating system (OS) ABI information.  The
                          desc field will be 4 words:

                          • word 0: OS descriptor (ELF_NOTE_OS_LINUX,
                            ELF_NOTE_OS_GNU, and so on)`
                          • word 1: major version of the ABI
                          • word 2: minor version of the ABI
                          • word 3: subminor version of the ABI

https://man7.org/linux/man-pages/man5/elf.5.html

[williballenthin]

the note is found in a section not referenced by the program headers.

duplicating the following logic in the section scan works locally:

capa/capa/features/extractors/elf.py

Lines 175 to 198 in 580a2d7

	if name == "GNU":
	if descsz < 16:
	continue
	desc = note[desc_offset : desc_offset + descsz]
	abi_tag, kmajor, kminor, kpatch = struct.unpack_from(endian + "IIII", desc, 0x0)
	# via readelf: https://github.com/bminor/binutils-gdb/blob/c0e94211e1ac05049a4ce7c192c9d14d1764eb3e/binutils/readelf.c#L19635-L19658
	# and here: https://github.com/bminor/binutils-gdb/blob/34c54daa337da9fadf87d2706d6a590ae1f88f4d/include/elf/common.h#L933-L939
	GNU_ABI_TAG = {
	0: OS.LINUX,
	1: OS.HURD,
	2: OS.SOLARIS,
	3: OS.FREEBSD,
	4: OS.NETBSD,
	5: OS.SYLLABLE,
	6: OS.NACL,
	}
	logger.debug("GNU_ABI_TAG: 0x%02x", abi_tag)
	if abi_tag in GNU_ABI_TAG:
	# update only if not set
	# so we can get the debugging output of subsequent strategies
	ret = GNU_ABI_TAG[abi_tag] if not ret else ret
	logger.debug("abi tag: %s earliest compatible kernel: %d.%d.%d", ret, kmajor, kminor, kpatch)

[williballenthin]

thanks for reporting this @forensenellanebbia! also, having the test cases made this easy to triage. we'll have a fix as a part of the next release (v4), likely in a couple weeks.